<HTML>
<HEAD>
<TITLE>User Management Overview</TITLE>
<LINK REL="stylesheet" HREF="../../../style/normal_ws.css" TYPE="text/css">
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
</HEAD>

<BODY BGCOLOR="#FFFFFF">

<TABLE class=apitable BORDER="0" BORDERCOLOR="#FFFFFF" BGCOLOR="#FFFFFF"><TR BORDERCOLOR="#FFFFFF"><TD>


<H1>User Management Overview
</H1><P>For a totally password protected site ( typical  for remote management applications), it is desirable to have multiple user IDs with  multiple security levels.  The Web server would have  known users, who would enter  passwords to obtain Web server access.  In addition, individual pages or groups of pages on the Web server may have   special security requirements.</P><H2>Access Authentication</H2><P>Whenever a Web browser attempts to access a page on a server that requires a user ID and password, a browser and server dialog begins that is called &quot;Access Authentication&quot;.  Two kinds of Access Authentication are used:  Basic (BAA) and Digest (DAA).  </P><P>The Web browser presentation for Digest Access Authentication is the same as for Basic Access Authentication:  the user typically is prompted for a user ID and password before obtaining access to a URL.  The difference between the two is behind the scenes.  In the case of Basic Access, passwords are sent as clear text.  Digest Access is different in that a &quot;digest&quot; is sent, typically created by the MD5 message digest algorithm that takes the user ID, the password, and a &quot;realm value&quot; as arguments.</P><P>In WebServer 2.1, both   types of Access Authentication are supported.  URL pages can have   an &quot;Access Method&quot; associated with them that determines how the page is accessed. These are  as follows:</P><BLOCKQUOTE><P>  <B>NONE</B> - The URL page cannot be accessed.<BR>  <B>FULL</B> -  The URL can always be accessed, without authentication.<BR> <B>BASIC</B> -  BAA is required before the page can be accessed.<BR>  <B>DIGEST</B> -  DAA is required before the page can be accessed.</P></BLOCKQUOTE><H2>Users </H2><P>The user management configuration database contains a user table containing user records with these data elements:</P><BLOCKQUOTE><P> <B>User ID</B> - Uniquely identifies a user<BR> <B>User Password</B> - Encrypted in local storage<BR> <B>User Group</B> - Determines a user's  access rights<BR> <B>Protected</B> - Determines if the user record can be deleted<BR>  <B>Enabled</B> - Determines if the user record can be used</P></BLOCKQUOTE><H2> User Groups </H2><P>The user management configuration database contains a table for user groups with  the following data elements:</P><BLOCKQUOTE><P><B>Group Name</B> - Uniquely identifies a group (e.g.; &quot;administrators&quot; or  &quot;guests&quot;).<BR><B>Privileges</B> - Can be one or more of none, read-files, execute-files, and administrate<BR><B>Default Access Method</B> -  determines the access method for members of this group<BR><B>Protected</B> - Determines if the user record can be deleted<BR><B>Enabled</B> - Determines if the user record can be used</P></BLOCKQUOTE><H2>URL Access Limits</H2><P>The user management configuration database contains a table for URL access limits.  Access Limits are used when certain directories or URL pages on the Web site have exceptionally secure access limits.  If a directory has an access limit associated with it, its contents will have the same access limit as the directory, unless there is a specific access limit for a specific page.</P><P>Access Limits have these  data elements:</P><P><B>URL Name</B> - Defines the file path of the Web page or directory<BR><B>Default Access Method</B> - Determines how the page should be accessed<BR><B>Encryption Required</B> - Determines if the page should be transmitted encrypted<BR><B>User Group</B> - Optionally limits access to the page to a specific user group</P><H2>User Management and Access to URLs</H2><P>When a page is requested,   WebServer will check to see if there is a URL Access Limit assigned for the requested page.  If an Access Limit is found, then the following checks are made:</P><P>If no user group is  assigned to the access limit, then the default access method takes effect.  In this case, the Web server takes these actions:</P><BLOCKQUOTE><P>  If Default Access Method is NONE, respond with a File not Found header.<BR>  If Default Access Method is FULL, returns the requested page.<BR> If Default Access Method is BASIC or DIGEST and  there is a user ID and password in the request that check out, returns the requested page.  Otherwise, it returns an Authenticate Response Header.</P></BLOCKQUOTE><P>If there is a user group assigned to the access limit, then the previous actions are taken, but use  the group's access method for the requested page.</P><P>&nbsp;
</P></TD></TR></TABLE>
</BODY>
</HTML>
